Malware, in general, has four main characteristics:
1. An initial infection vector – how it got on the system in the first place; this can be through browser download, email attachment, etc.
2. Artifacts – what actions does the malware take upon infection and what footprints does it leave? It’s sufficient and quicker to use what’s available from AV sites.
3. Propagation Mechanism – How does the malware get about? Is it a worm that exploits a known or unknown vulnerability? Or does it infect files at the root of drives and add autorun.inf files? Understanding the propagation mechanism can help.
4. Persistence Mechanism – Malware likes to remain persistent and there are a finite number of ways to do that on a Windows system. The persistence mechanism can relate back to Artifacts; however, this would be an artifact specifically intended to allow the malware to survive reboots.
So how can we go about tracking down malware, detecting its presence?
Forensically, acquire an image because you need to determine if there’s malware on the system, then do any of the following:
1.Target the Artifacts
Do a quick, surgical scan that detects malware. Tools such as RegRipper can make this a fast and extremely easy process (remember, for live systems, you can use RegRipper in combination with F-Response).
Artifacts that have remained fairly static (Registry modifications) with some new ones (Scheduled Task) being added helps narrow down the false positives.
There are a number of logs on Windows systems that may provide some insight into malware detection. For example, maybe the installed AV product detected and quarantined a download. Depending on the product, this may appear in the AV product logs as well as the Event Log.
Or perhaps the AV scanner’s real-time protection mechanism was disabled and the user ran a scan at a later time that detected the malware.
Either way, check for an installed AV or anti-spyware product, and check the logs. Also, examine the Event Logs and don’t forget mrt.log.
Another way to go about detecting the presence of malware on systems is to scan for it using AntiVirus products. But just one commercial AV product isn’t enough. The key to running scans is to know what the scan is looking for so that you can better interpret the results.
For example, look at tools such as sigcheck and missidentify; both are extremely useful, but each tool looks for certain things. Another scanning tool that can be extremely useful is Yara.
With the amount of malware that subverts Windows File Protection (WFP) in some manner, tools like wfpcheck can be used to determine if something on the system modified any of the “protected” files.
As part of any AV Malware detection process, you’ll need to document what you did, what you looked for, and what tools you used in order to recreate the process.